pushing up text rendering
Hi everybody... To my knowledge when SA renders the html part of the email, it just remove HTML tags and present results. Ok so far. But what if there is invisible text inside HTML tags due to its css style? example to hide the word HOLA Hkkdelavaca OkkdelavacaLkkdelavaca A so rendered text is: HkkdelavacaOkkdelavacaLkkdelavacaA Any thoughts, please? Thanks! Pedro.
Re: Plugin fo content modification
Yea Mattus, thanks i know it very well just wondering whether someone tried it before or not via plugins... Thanks again! Pedro. On Monday, February 19, 2024 at 01:42:46 PM GMT+1, Matus UHLAR - fantomas wrote: On 19.02.24 12:37, Pedro David Marco via users wrote: >Does anyone know of a plugin for content modification? SpamAssassin detects spam, it is not designed to tho content modification. > an example, i want to change the word 'sex' for '---' Anyway, this is a bad idea, for example you can cause changing middlesex to middle--- or sextant to ---tant. You would also invalidate DKIM signatures. Try avoiding this clbuttic problem. https://en.wikipedia.org/wiki/Scunthorpe_problem -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Plugin fo content modification
Hi everybody... Does anyone know of a plugin for content modification? an example, i want to change the word 'sex' for '---' Thanks in adavance, Pedro.
Re: Stealth HREF= (missed by SA)
The same happens with other HTML tags... so, with Giovanni permission, i tighten the nut 1 more turn (limiting to 100 chars to prevent Regex Self-DOS) rawbody BADHREF /<(a|img|video)[^>]{0,100}\/(src|href)\=/ Pete. On Thursday, September 14, 2023 at 04:37:15 PM GMT+2, wrote: On 9/14/23 16:24, Bill Cole wrote: > On 2023-09-14 at 04:37:03 UTC-0400 (Thu, 14 Sep 2023 17:37:03 +0900) > Joe Wein via users > is rumored to have said: > >> I filed a bug for this issue on Bugzilla (#8186) but so far no response from >> developers. >> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8186 > > FWIW, I've thought about it a bit... > >> We're seeing literally millions of phishing spams from Tencent VMs in >> Singapore targeting mostly Amazon Japan that are getting around SA checks >> because of this issue. > > Wow. I didn't expect that this was that big of a tactic. > >> I am wondering how many other users are seeing this problem which allows >> spammers to circumvent URI checks in links in spam (i.e. hide the payload >> sites). > > I don't see it, but the systems I manage have no reason to expect anything > but criminal-grade spam from anything on a Tencent network in Singapore. > Everyone gets their own bespoke spamstream I guess. > >> They do it by prefixing the href= attribute in an HTML tag >> with letters and a slash, for example: >> >> https://some.phishing.site:>https://amazon.co.jp >> >> Both Chrome and mail clients like Mozilla Thunderbird discard that "h/" >> prefix (perhaps treating it as a separate unrecognizable attribute, like "> h href="...") and display a clickable link to the payload site while >> SpamAssassin will not see the URI and therefore not it through any of the >> rules for URIs. >> >> This means even if the bad site is listed on domain RBLs (SURBL, Spamhaus or >> URIBL), the mail is not tagged for that. >> >> Joe Wein >> SURBL > > I'm thinking that the best approach may not be in trying to parse the bogus > tag to glean a domain that may or may not be known to be bad, but rather to > detect the general pattern, which is itself a direct indicator of bad intent. > rawbody BADHREF /\s+.\/href\=/ should be a start to write a rule to catch those spam messages. Giovanni
Re: My apologies
It is like a man that goes to a bookstore and asks: "Do you have books on how to make friends, you fucking clerk?" :- Pedro. (Sorry for the ugly word) On Saturday, August 5, 2023 at 08:53:09 PM GMT+2, Kevin A. McGrail wrote: Reindl is the definition of something I learned decades ago as an energy creature. DNFTEC is an acronym to live by. Suggested reading: http://www.cryonet.org/cgi-bin/dsp.cgi?msg=6284 KAM On Sat, Aug 5, 2023, 13:24 Grant Taylor via users wrote: On 8/5/23 8:04 AM, Ralph Seichter wrote: > Well, that is what local mail killfiles are for. The world is sadly > full of morons, but one does not necessarily have to accept mail > from them. Agreed. The catch is that he keeps tripping up people that have not had the ... experience of dealing with him and thus have not ... quieted him yet. Grant. . . .
whast is ncv.microsoft.com for?
Hi all, We are receiving tons of Phishing pointing to ncv.microsoft.com/ I have found no MS documentation about what "ncv" is used for??? does anyone know it, please? what is it? Pete.
Re: OFF-TOPIC ANNOUNCE: KAM Ruleset Turning PCCC Wild RBL Back On
With all respects, i agree with Bill... but suppose just Bill is wrong... Kam rules are free and show really huge quality, what is wrong about gently ask for cooperation if used in a commercial way? KAM++ Pedro. On Tuesday, March 21, 2023 at 06:18:38 PM GMT+1, Bill Cole wrote: On 2023-03-21 at 12:52:16 UTC-0400 (Tue, 21 Mar 2023 17:52:16 +0100) Benny Pedersen is rumored to have said: > Kevin A. McGrail skrev den 2023-03-21 17:27: > >> https://mcgrail.com/template/donate > > you know the rules to post commericial postings to public free > maillists ?, What rules exactly are you referring to? Please cite them precisely, in grammatically decipherable English. Note that if the 'rules' being cited are not on an ASF site, they do not apply here. The McGrail Foundation is not a commercial entity. That's why that page talks of donating rather than purchasing, and why it refers to a US tax code section. Noting the enhancement of a widely-used free service for SA users provided by a non-profit charitable foundation with in-kind support from a commercial entity (Linode, A.K.A. Amazon) is not a commercial posting. If you want kolektiva.social, it is over there... -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
X_IBL: header
Hi, sorry for the semi-offtopic but we are seeing emails with a header like this: X-IBL: Fact3Does anyone have any clue about it? Thanks, Pete.
Re: sharepoint phish routed through sharepointonline/outlook
RBL checks for FQDN not just domains would be a good idea... Pedro. >On Sunday, January 15, 2023 at 08:47:59 PM GMT+1, Alex wrote: >Hi, >X-Spam-Status: No, score=1.102 tagged_above=-200 required=5 >tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, >DKIM_VALID_EF=-0.1, DMARC_PASS=-0.1, FMBLA_HELO_OUTMX=-0.01, >FMBLA_RDNS_OUTMX=-0.01, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1, >LOC_FILE_SHARE_PHISH1=0.75, LOC_FROMADDR=0.01, LOC_FROMNAME=0.01, >LOC_IMGSPAM=0.1, LOC_XORIGORG=0.01, MIME_HTML_ONLY=0.1, >RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, >RCVD_IN_SENDERSCORE_80_89=-0.4, RELAYCOUNTRY_LOW=0.1, RELAYCOUNTRY_US=0.01, >SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TXREP=-0.166] autolearn=disabled >'m reporting it to spamcop and training bayes, but does anyone have any other >ideas? >Is this just someone using their sharepoint account to send a phish? Perhaps >account takeover? >https://pastebin.com/2CJ3SLf2
Problems matching the last word in multi-OR Regex
HI, Situation:i have 2 twin servers running exactly the same OS, and SA. (3.4.4) i have an email with the word 'dog' inside. i have this rule: body __ANIMALS /cat|mouse|bird|dog/i Problem:Rule __ANIMALS its in one server, but in the other one, does not! i have noticed that if i switch the rule words order, like this: body __ANIMALS /cat|mouse|dog|bird/i and 'dog' is not the latest word, then it hits on both servers. I have tried many permutations and it only fails with the word that appears the last in regular expressions with multiple OR Has anyone seed this before? is that a known bug? Thanks... Pete.
Re: spamassassin sometimes suddenly ends scanning
Is it very very common to find VPSs running on PC Motherboards, not server Mobos... so no ECC It is also very common in VPSs to overclock RAM, so stability is not its main virtue.. Ask them Greg, and demand details and proofs of real hw being used. Pedro. On Tuesday, November 29, 2022 at 03:41:24 PM GMT+1, Greg Troxel wrote: Henrik K writes: >> I see occasional coredumps (as in perl.core). It is often enough to be >> annoying (beyond worrisome that it happens at all), but not reproducible >> and no apparent pattern. > > Try memtester/memtest86, atleast if it's not a proper server with ECC > memory.. >I am pretty sure the hardware is OK, but I can't really run memtest86 as >it is a VPS. Spamassassin has trouble often, and the machine does a >lot of other things, and they are all trouble-free. The logs do not >show a single core dump from anything else. > And if you have core dumps, running gdb would be helpful: > > $ gdb /usr/bin/perl /path/to/core > (gdb) backtrace >Yes, and I should rebuild it all with -g. >But it sounds like others are not seeing this, which is a useful >datapoint.
Re: Hidden parts in anchors texts
Thanks to all, it should be much easier and simple. Currently Permsgstatus contains both visible and invisible rendered html from thre body, What in my modest opinion should be very usefullwould be to have the same when it comes to anchors from links. Reagrds, Pete. On Tuesday, August 30, 2022 at 10:33:41 AM GMT+2, Matus UHLAR - fantomas wrote: >On 8/29/2022 1:10 PM, Matus UHLAR - fantomas wrote: >>perhaps ExtractText module could do that. >>It's available in SA4 (currently beta afaik) and on: >>https://github.com/DavidGoodwin/ExtractText On 30.08.22 01:00, Kevin A. McGrail wrote: >NOTE that I don't believe the version in SA4 is the same as that >github version. I'd recommend the one in the SA 4.0.0 RC1. I just wanted to point to version that MIGHT to work with former SA versions. Of course I recommend trying SA4 too (works here from Debian experimental).
Hidden parts in anchors texts
Hi, is there any way to make SA ignore hidden text in anchors in URI checks? (using uri_deatil) just an example: https://fakeurl.com;>KeXXXep SA renders anchor_text as: KeXXXep but i would like it to be: Keep Thanks, Pete.
Re: shit from serverion
>On Thursday, June 30, 2022, 09:12:59 AM GMT+2, Benoit Panizzon wrote: >>All my attempts to reach out to ab...@serverion.com or any other >contacts found on their website remained unreplied. When a company does that they deserve to be sent to /dev/null --Pedro.
Re: shit from serverion
On our side it is a huge list as well... does Serverion send anything clean? Pedro. On Wednesday, June 29, 2022, 04:02:05 PM GMT+2, Matus UHLAR - fantomas wrote: On 29.06.22 13:14, Marc wrote: >Today I decided to spend some time getting all the ip's[1] (these are all > /24 thus you have to add 164.215.103.1-164.215.103.255) of serverion, who > is sending out constant stream of crap. I thought about posting it here > so you do not need to do this work. If you do some random checks, you can > see this looks weird[2]. Do as you please with this info. FYI I use local rbldnsd at SA and MTA level, one IP zone for ip-based blocking at MTA level and SA and one zone for domain blocking ad MTA level and URI search. long time ago there was distributed RBL where multiple admins did block unwelcome mail senders... afaik it's dead >[1] >164.215.103.1 164.215.103.1 164.215.96.254 171.22.17.0 109.205.211.0 >141.98.6.0 109.206.240.0 164.215.101.0 109.206.242.0 109.206.241.0 >109.206.243.0 185.246.222.0 185.218.138.0 185.126.34.0 185.225.73.0 >185.216.68.0 185.225.74.0 185.246.220.0 185.216.71.0 171.22.30.0 185.225.75.0 >185.72.9.0 185.252.178.0 185.252.179.0 193.124.207.0 193.124.91.0 185.254.37.0 >193.124.203.0 185.246.223.0 193.124.205.0 192.124.172.0 193.37.40.0 >193.47.61.0 194.135.23.0 194.180.48.0 194.48.250.0 194.58.60.0 193.124.95.0 >194.55.186.0 194.169.172.0 193.233.176.0 193.233.177.0 193.233.178.0 >193.233.179.0 193.233.180.0 193.233.181.0 193.233.182.0 193.233.183.0 >193.233.184.0 193.233.185.0 193.233.186.0 193.233.187.0 193.233.188.0 >193.233.189.0 193.233.190.0 193.233.191.255 194.87.136.0 194.87.132.0 >194.87.133.0 194.87.134.0 194.87.135.255 194.87.128.0 194.87.108.0 >194.87.129.0 194.58.67.0 194.87.137.0 194.87.114.0 194.87.130.0 194.87.131.0 >194.87.171.0 194.87.178.0 194.87.200.0 194.87.169.0 194.87.168.0 194.87.170.0 >194.87.204.0 194.87.208.0 194.87.209.0 194.87.212.0 194.87.246.0 194.87.3.0 >194.87.251.0 194.87.250.0 194.87.226.0 194.87.227.0 194.87.24.0 194.87.25.0 >194.87.26.0 194.87.27.255 194.87.228.0 194.87.229.0 194.87.230.0 >194.87.231.255 194.87.219.0 194.87.22.0 194.87.84.0 194.87.86.0 194.87.72.0 >194.87.75.0 194.87.90.0 194.87.87.0 194.87.42.0 194.87.74.0 194.87.85.0 >194.87.73.0 195.133.31.0 195.133.28.0 195.133.32.0 195.133.84.0 195.133.80.0 >195.133.75.0 195.133.39.0 195.133.38.0 195.133.76.0 195.133.35.0 195.178.121.0 >195.133.86.0 195.58.35.0 195.58.52.0 195.133.85.0 195.58.50.0 195.58.53.0 >212.192.11.0 195.178.120.0 195.58.54.0 195.58.54.255 > >[2] >4.169.172.5 griffith.tahoerealestateloans.com. >194.169.172.6 jones.tahoerealestateloans.com. >194.169.172.7 watkins.tahoerealestateloans.com. >194.169.172.8 phillips.tahoerealestateloans.com. >194.169.172.9 howard.tahoerealestateloans.com. >194.169.172.10 atkinson.tahoerealestateloans.com. >194.169.172.11 obrien.tahoerealestateloans.com. >194.169.172.12 smith.tahoerealestateloans.com. >194.169.172.13 fleming.tahoerealestateloans.com. >194.169.172.14 grant.tahoerealestateloans.com. >194.169.172.15 schultz.tahoerealestateloans.com. >194.169.172.16 adams.tahoerealestateloans.com. >194.169.172.17 fisher.tahoerealestateloans.com. >194.169.172.18 avila.tahoerealestateloans.com. >194.169.172.19 crawford.tahoerealestateloans.com. >194.169.172.20 francis.tahoerealestateloans.com. >194.169.172.21 hunt.tahoerealestateloans.com. >194.169.172.22 ayers.tahoerealestateloans.com. >194.169.172.23 barker.tahoerealestateloans.com. >194.169.172.24 sullivan.tahoerealestateloans.com. >194.169.172.25 campos.tahoerealestateloans.com. >194.169.172.26 sanders.tahoerealestateloans.com. >194.169.172.27 harris.tahoerealestateloans.com. >194.169.172.28 delacruz.tahoerealestateloans.com. >194.169.172.29 carlson.tahoerealestateloans.com. >194.169.172.30 walker.tahoerealestateloans.com. >194.169.172.31 ortega.tahoerealestateloans.com. >194.169.172.32 pearson.tahoerealestateloans.com. >194.169.172.33 noble.tahoerealestateloans.com. >194.169.172.34 scott.tahoerealestateloans.com. >194.169.172.35 barnes.tahoerealestateloans.com. >194.169.172.36 ortiz.tahoerealestateloans.com. >194.169.172.37 davis.tahoerealestateloans.com. >194.169.172.38 lane.tahoerealestateloans.com. >194.169.172.39 dominguez.tahoerealestateloans.com. >194.169.172.40 gonzalez.tahoerealestateloans.com. >194.169.172.41 zavala.tahoerealestateloans.com. >194.169.172.42 rhodes.tahoerealestateloans.com. >194.169.172.43 stewart.tahoerealestateloans.com. >194.169.172.44 bailey.tahoerealestateloans.com. >194.169.172.45 knight.tahoerealestateloans.com. >194.169.172.46 wilson.tahoerealestateloans.com. > > > >193.233.176.13 juvis.e-hitart.co.uk. >193.233.176.14 tastat.free-business-directory.co.uk. >193.233.176.15 rgissa.free-business-directory.co.uk. >193.233.176.16 haytap.free-business-directory.co.uk. >193.233.176.17 ssvax.free-business-directory.co.uk. >193.233.176.18 sryian.imakoocars.co.uk. >193.233.176.19
pay attention if you use unrar
sorry for the semi off-topic but worths so share... important unrar bug... https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/ Regards, Pedro.
Re: Spamhaus spurious positives - how does SpamAssassin check Spamhaus?
To me it looks like a a DNS cache times issue... Paul, what resolver are you using? is your server under heavy load when this happens? if it is Linux, run netstat -suna and check for any errors in the Udp area. In FreeBSD netstat -sa Pedro. On Saturday, May 7, 2022, 06:36:43 PM GMT+2, Paul Pace wrote: >On 2022-05-07 07:53, Benny Pedersen wrote: > On 2022-05-07 16:42, Paul Pace wrote: >> I have set up SpamAssassin with the following in >> /etc/spamassassin/mycustomscores.cf: > >> * 10 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL >> * blocklist >> * [URIs: wikileaksdotorg] > > add to /etc/spamassassin/mycustomskipuribl.cf: > > skip_uribl_domains wikileaksdotorg >The problem with this solution is I don't know which domain is going to >be next, plus I'm not so much looking for a solution to this specific >result, but rather I want to understand why there is a disparity between >what SpamAssassin is reporting and what the Spamhaus website is >reporting. > > or reduce spamhaus score >With this I will get more spam in my inbox, especially spam sent from >compromised accounts which usually have lots of positive modifiers.
[no subject]
Good question... probably an interesting new feature for SA: dividing and deal with attached emails (and nested emails that look like a chat) in a one by one basis... Pete. >On Tuesday, April 26, 2022, 02:36:25 PM GMT+2, Matus UHLAR - fantomas wrote: >Hello, >is it possible to match message headers in rfc822 atttachments? >from what I know, "header" rules only apply to mail headers and mimeheader >only apply to mime headers. >body and rawbody afaik only search in bodies of messages or included messages. >I have asked some time ago but no success: >https://marc.info/?l=spamassassin-users=132282473328809=2 >is this possible now or do we need out-of SA solution for this? >-- >Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ >Warning: I wish NOT to receive e-mail advertising to this address. >Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >Fighting for peace is like fucking for virginity...
Semi off-topic: Problems with SpamRats
Sorry for the semi-off-topic... is there anybody in the list from SpamRats or with any contact in SpamRats, please? I am having issues with them and seems impossible to contact them... Thanks and sorry for bothering! ---Pete.
Emotet seems to be back...
heads up!!! Sorry for the semi off-topic... but just in case this may help... Encripted zip files witth dangerous ofuscated macros inside calling our beloved powershell... Pedro
Re: spam from gmail.com
The same with Microsoft365... A couple of weeks ago tons of M365 IP ranges got into their own RBLs... good job!!! Pedreter. >On Tuesday, November 9, 2021, 01:09:39 PM GMT+1, Peter wrote: > >This has been going on for a long time, Google is now one of my top spam >scources - I blacklist other servers very aggressively. >I now increase the >score on mail from google.com and occasionally check the spam catch and add >any real sender to a whitelist. >That means most gets quarantined and dumped, >and the rest get slowed until I check them, and the couple of people that >have asked about the delay have been happy when I explain what is happening. >>It seems that people aren't taking google as seriously any more.
Re: Identifying Amazon hosts...
Hi Antony, please accept my apologizes and excuse my lack of accuracy on asking. i have knowledge near zero on Amazon, AWS, SES, etc.. My believe is that there are public amazon smtp servers that can be used by their customers (SES) and servers you have for your own... Again, please everybody, bare with my lack of knowledge Thanks. On Wednesday, July 28, 2021, 08:05:27 PM GMT+2, Antony Stone wrote: > Hi! > i have spam with this header: > > Received: from a48-115.smtp-out.amazonses.com (HELO > a48-115.smtp-out.amazonses.com) (54.240.48.115) > > Is there any way, based on its fqdn, to know whether an Amazon smtp host is > public or dedicated? > Apologies for what may seem like a silly question, but what's the difference? >Antony.
Identifying Amazon hosts...
Hi! i have spam with this header: Received: from a48-115.smtp-out.amazonses.com (HELO a48-115.smtp-out.amazonses.com) (54.240.48.115) Is there any way, based on its fqdn, to know whether an Amazon smtp host is public or dedicated? Thanks! Pedreter.
Re: Email Phishing and Zloader: Such a Disappointment
>On Monday, July 12, 2021, 04:01:03 AM GMT+2, Kevin A. McGrail wrote: >If you can get me a spample, I'm sure I can tell you but in general we >block macros so that's all that's needed. Likely the OLEVBMacro plugin >and KAM ruleset is blocking all of these already if you have the plugin >enabled. The inital email has not a macro... they use an old MS feature where a document marks itself as "incomplete" andtells MS Office App where to download the missing part, that contains the payload. To my knowledge (very limited) only zipped versions of MS files can use that feature. Within them, there are 2 data structures to checkif you want to find prizes... -Pedro.
Re: Office phish
On Monday, July 5, 2021, 11:45:42 PM GMT+2, RW wrote: >I'm not sure what you are referring to there. If you copy and paste a >web page into an HTML email, are you not just copying the formatting? Agree RW, but... copy and paste from web source to MUA works! --Pedreter.
Re: Office phish
>On Thursday, July 1, 2021, 05:03:50 PM GMT+2, RW wrote: > What legitimate email uses javascript? Pretty common! many people copy and paste from webs.. and of course these are important mails! :-( Pedreter
Re: adobe cloud malicious link
Even worse, Adobe make injects several redirections and never offer the PDF so nothing to scan even if you follow the links Let's keep thinking on it... Pedro. On Saturday, June 5, 2021, 12:48:00 AM GMT+2, Alex wrote: >Hi, >I received what appears to be a legitimate email from what looks like >a compromised adobe account that itself contains no malicious links, >but redirects to a malicious link once on the adobe site. >I don't suppose there's any protection against this, considering the >malicious link isn't contained within the email itself? >Once on the site, it displays a PDF designed to look like a docusign document with a malicious link.
Re: Random results with AskDns
I have set buffers to 20MB per core and results are great: # sysctl -w net.core.rmem_default=20971520 0% packet lost... with default value of 200KB packet-loss went easily above 30% You can chek if you have this problem with: # netstat -suna look for errors in UDP area --Pedteter. On Tuesday, March 2, 2021, 04:44:35 PM GMT+1, Benny Pedersen wrote: >On 2021-03-02 16:26, Pedro David Marco wrote:> Correct Kernel UD tunning >solves the problem!>in verbose this is ?
Re: Random results with AskDns
Tried both and with/without cache... Pedreter... On Tuesday, March 2, 2021, 04:46:08 PM GMT+1, Matus UHLAR - fantomas wrote: On 02.03.21 15:26, Pedro David Marco wrote: >Just in case someone has this issue... >Short version: >In heavy load environments, SA produces more UDP traffic (specially if answers >are big, typically happens with TXT queries) than Linux kernel can handlewith >default buffers (tested in Debian Buster), so many SA queries never get an >answer and die on timeout.This not only affects final SA result, but >performance. >Correct Kernel UD tunning solves the problem! do you run local resolving (non-forwarding) DNS server? > On Monday, March 1, 2021, 06:06:24 PM GMT+1, Pedro David Marco > wrote: > >Hi all,>When there are several hundreds of lookups, Askdns / Async abort > >many of them randomly even when 100% of queries got an answer. >>I use local dns cache but every run of SA produces different number of >>aborted remaining lookups. >if you dig manually from command line any aborted >>query, answer is immediate. >>I have not found any related bug in SA Bugzilla.. (pretty similar to this one >> 7875 – AskDNS plugin does not correctly handle CNAMEs leading to TXTs ) >>After some debug, it seems that answers are not harvested properly... and >>around 30% of them are lost in every run. >>It is not a timeout problem: both tcpdump and dns-cache log show immediate >>answers to 100% of queries in less than 1 second. >>May this be solved in the new AskDns John Hardin mentioned some days ago? > > -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Re: Random results with AskDns
SOLVED! Just in case someone has this issue... Short version: In heavy load environments, SA produces more UDP traffic (specially if answers are big, typically happens with TXT queries) than Linux kernel can handlewith default buffers (tested in Debian Buster), so many SA queries never get an answer and die on timeout.This not only affects final SA result, but performance. Correct Kernel UD tunning solves the problem! ---Pedreter. On Monday, March 1, 2021, 06:06:24 PM GMT+1, Pedro David Marco wrote: >Hi all,>When there are several hundreds of lookups, Askdns / Async abort many >of them randomly even when 100% of queries got an answer. >I use local dns cache but every run of SA produces different number of aborted >remaining lookups. >if you dig manually from command line any aborted query, >answer is immediate. >I have not found any related bug in SA Bugzilla.. (pretty similar to this one >7875 – AskDNS plugin does not correctly handle CNAMEs leading to TXTs ) >After some debug, it seems that answers are not harvested properly... and >around 30% of them are lost in every run. >It is not a timeout problem: both tcpdump and dns-cache log show immediate >answers to 100% of queries in less than 1 second. >May this be solved in the new AskDns John Hardin mentioned some days ago?
Random results with AskDns
Hi all, When there are several hundreds of lookups, Askdns / Async abort many of them randomly even when 100% of queries got an answer.I use local dns cache but every run of SA produces different number of aborted remaining lookups. If you dig manually from command line any aborted query, answer is immediate. I have not found any related bug in SA Bugzilla.. (pretty similar to this one https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7875 ) After some debug, it seems that answers are not harvested properly... and around 30% of them are lost in every run. It is not a timeout problem: both tcpdump and dns-cache log show immediate answers to 100% of queries in less than 1 second. May this be solved in the new AskDns John Hardin mentioned some days ago? Thanks, -Pedreter.
Re: URLs hidden in Morse code
On Thursday, February 11, 2021, 09:49:35 PM GMT+1, Bill Cole wrote: >Web-based MUAs (SquirrelMail, Horde, GMail, Outlook Web Access, etc.) >brought back some support for JavaScript in mail, but as I understand >some of them do some defanging of scripts and the advancement of browser l>imitations on nefarious scripts has also helped make those less >dangerous than they could be. You are very optimistic, Bill... :-D Users copy and paste full web pages in an email and click the "send" button singing at the same time... Pedrete
Re: QR-decoding
I already did that ... it collects URLs, Email boxes and BTC wallets from QR (despite the full image is a QR code or the image 'contains' a QR) and injects them back into SA If there is interest in the community, maybe i can make it a standalone plugin and send it to Kevin for consideration... --Pedreter On Tuesday, February 2, 2021, 09:30:36 AM GMT+1, Olivier wrote: Benny Pedersen writes: > On 2021-02-02 03:37, Kevin A. McGrail wrote: >> Nothing I'm aware of. Contact me off-list if you have any spamples. >> Maybe there are other indicators. > > +1 > >> On Mon, Feb 1, 2021 at 10:39 AM Valentijn Sessink >> wrote: > > i like samples aswell > >>> (I.e. checked against blocklists et al) > > the images can be matched in clamav, send image sample to sanesecurity > > if its sendgrid forwards its mostly still need more rbl listed > What about doing a proper SA plugin that find the DR in an image, decodeds it and injects the associated text/URL as a document part to be parsed by SA? Something like what is being described there maybe https://docparser.com/blog/barcode-pdf-documents-images/ Best regards, Olivier --
Re: HEADS UP: SPAMCOP MIA
spamcop seems back.. but... we need to be 100% sure that people behind it who should be - Pedreter On Sunday, January 31, 2021, 08:11:30 PM GMT+1, Axb wrote: On 1/31/21 8:04 PM, Bill Cole wrote: > On 31 Jan 2021, at 6:58, Axb wrote: > >> Happy Sunday !!! >> >> Cisco forgot to renew spamcop.net >> Registry Expiry Date: 2022-01-30T05:00:00Z >> >> Better disable till it's fixed >> >> score RCVD_IN_BL_SPAMCOP_NET 0 >> >> >> Stay safe! > > SpamAssassin was already "safe" in that it checks the SpamCop BL for a > TXT record containing 'spamcop' rather than simply for the existence of > an A record. For other DNSBLs, specific values are required in A records. > had forgotten the TXT thing... was a warning for ppl in general.. even for such using spamcop at MTA level. whatever..
Emotet today..
Hi all... sorry for the semi off-topic... Today Emotet is being sent in an encrypted zip with the password embedded into an anti-ocr image.. watch out! -Pedrete
Understanding firebasestorage URLs...
Hi ! i am trying to understand firebase URLs.. like this: https://firebasestorage.googleapis.com/v0/b/hust-28d4c.appspot.com/o/olgen%2Findex2ton.html?alt=media=35970e26-0fe8-44ad-ae93-d38929669e81#i...@susmuelas.com (handle carefully: real phishing) is there any doc/info about it? fields meaning? Thanks! --Pereter.
Re: Apache SpamAssassin and Spammers 1st Amendment Rights
Your freedom ends where my rights start.
Parsing Sendgrid links
Does anyone know how to parse Sendgrid redirection links like this: https://u15178038.ct.sendgrid.net/ls/click?upn=UgxaS24gNWvLFnxuRn0rD7yEB8283lpOzJbYCl-2BDIEoXpgCZWC85CVCSMWWLv7d8PUrbpDyLJSfJKqQvzZXNfw-3D-3Djkdm_XsGA-2Fgkm2IVk-2FlYw8ReyfPf5dkRMjAf-2BMJiZBo-2B42nZP1FD9PWIpHZFF9vj7mZg836sNXYVioj8zpxC5VYJcvvwxg0oWexfVUiJQZheF3GD8fXrLSbDgQiUMZmVOvFs0NGwkB0jBXdyvXgJHzqSZWyq2EKH-2Fx4a-2FogQYLTzm4NzjUF-2BHuT91NdbFzqNFCaeboV2yYlvolpv4AjhavQb9pNjYTzd8lQqjk72SxeaKFwU-3D follow them to detect the 302 redirect is an option but parsing would be much faster... Thanks, --Pedreter
sa-compile time in SA 3.4.4
Hi everybody... i have noticed a huge difference in compiling time between SA 3.4.2 and 3.4.4 (3.4.4 is much much faster)but i have not seen anything in the "what_is_new docs" about it... make it sense?? Thanks... ---Pedreter
Re: Announcement of the passing of Jari Fredriksson
:-( sad news, Kevin... thanks for letting us know... Rest in peace, Jari... -Pedreter On Monday, September 21, 2020, 06:13:11 PM GMT+2, Kevin A. McGrail wrote: Definitely. For those who have inquired, that was supposed to read "I am sorry to announce that Jari Fredriksson died on July 25th. He..." On 9/21/2020 11:36 AM, Axb wrote: > Sad news. My thoughts are with his family. > > On 9/21/20 4:31 PM, Kevin A. McGrail wrote: >> Some know that Jari's mirror broke a few weeks ago and we've been trying >> to reach him. I am sorry to announce that Jari Fredriksson was a great >> supporter of the project running an sa-update mirror, helping with our >> masscheck program, testing releases, and just generally being a great >> member of our community. >> >> On behalf of the entire project, I'd like to extend our condolences to >> him and his family. He will be missed. >> >> If anyone wishes to send a note of condolences it can be done through >> Jouni, his employer. http://www.jounivirtanenconsulting.com/contact/ >> >> Sincerely, >> >> Kevin A. McGrail >> > > -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: blacklisting the likes of sendgrid, mailgun, mailchimp etc.
>On Thursday, September 17, 2020, 12:44:52 PM GMT+2, Marc Roos wrote: >For what it is worth. I was always under the impression that most of >hose >companies that are using these networks known for 'harassing' >here just ignorant. I used to do business with the 'idiots' of >ucows/opensrs, trying to explain to them that it is not really wise to >end password reset emails via the same mail servers that their 'cheap >cients' are using for spamming. +1 We see quite oftnely companies sending valid invocies via free sendgrid accounts Pedreter
Re: Check HELO
>On Monday, September 14, 2020, 05:23:13 PM GMT+2, John Hardin wrote: >I don't check for FCrDNS explicitly, but I do reject non-FQDN HELO strings >(e.g. no dots present) from the Internet. That catches a surprising > percentage of garbage up front. +1 -Pedreter
spamd childs keep working with previous configuration after reload or restart...
Hi everybody! Sometimes sending HUP signal to the parent spamd daemon, or even restarting it, do not cause a reload in all spam childs. normally (99% of times) all childs work with current config as expected but 1% of the times...some childs work with current config and some childs keep working with previous config.. weird... This happens randomly, so i am not able to reproduce the problem on purpose... I am considering either Sending the HUP signal not to the spamd parent but to the parent and each and every child... Maybe setting "Maximum connections accepted by child" to a lower number (dafault is 200) could also help. Can i ask for opinions, please?? (SA version 3.4.2 ) Thanks... --Pedrete
Re: Freshdesk (again)
If they only have some IPs addresses instead of millions of them, for sure they would care!! Pedro. >On Monday, August 17, 2020, 08:52:24 PM GMT+2, @lbutlr wrote: >On 17 Aug 2020, at 11:25, Philip Prindeville > wrote: > I’ve been calling out phishing from the same (IP) address for 10 days without > any apparent (observable) action from Sendgrid. >Not a shock; they simply do not care. >> At this point I’m wondering if they have compromised relays. >It seems to me like everything is working by design.
Re: Detecting SendGrid shared IPs
>On Thursday, July 16, 2020, 03:26:08 PM GMT+2, Riccardo Alfieri wrote: >Bumping a little the score for shared IPs? Could make sense.. Exactly... -Pedro
Detecting SendGrid shared IPs
Is there any way to know whether a Sendgrid IP is shared or dedicated? Thanks in advance! Pedro
Re: Negative lookbehind in URIs?
Bill, Shane... we do that with a plugin becasue exceptions must be considered... for example to avoid false positives with rewrited URLs (used by some companies) -Pedro.
Re: Negative lookbehind in URIs?
Nice Loren nowadays with uri_detail this is easily solved with something like uri_detail HTTPS_HTTP_MISMATCH text =~ /^https:\/\//i cleaned =~ /^http:\/\//iscore HTTPS_HTTP_MISMATCH 0.5describe HTTPS_HTTP_MISMATCH URL claims to use SSL but it does not -Pedro >On Wednesday, July 15, 2020, 02:20:34 AM GMT+2, Loren Wilton wrote: > I'm looking to detect a mismatch between the domain in the href > property of a URI and a domain in the anchor text itself. >Not using > lookbehind, but I long ago wrote these two rules to look for similar > situations. Either could be modified fairly easily to do what you want. >Note: these are probably around 10 years old, written before there were URI >rules (if I remember correctly) so there may be more efficient ways to do >these these days. Loren >#check for attempting to phish >rawbody __LW_PHISH_2 >m']+>https://[^\d]'is >full __LW_PHISH_2a >m']+>https://[^\d]'is >meta LW_PHISH_2 __LW_PHISH_2 || __LW_PHISH_2a >score LW_PHISH_2 50 >describe LW_PHISH_2 numeric href with https description >#score __LW_PHISH_2 1 >#score __LW_PHISH_2a 1 >rawbody __LW_PHISH_3 /]+>https:/is >full __LW_PHISH_3a /]+>https:/is >meta LW_PHISH_3 __LW_PHISH_3 || __LW_PHISH_3a >score LW_PHISH_3 50 >describe LW_PHISH_3 secure description with insecure link >#score __LW_PHISH_3 10 >#score __LW_PHISH_3a 1
Re: How to force the use of NON compiled rules
Solved... forget this please and sorry for bothering... i need ro rest... --Pedro. >On Tuesday, July 14, 2020, 05:47:33 PM GMT+2, Pedro David Marco wrote: >Ssometimes (not always) when non-compiled rules do not match compiled ones, >SA says: > dbg: zoom: skipping rule __PHISH_TEXT_SOLUC18i, code differs in compiled ruleset >Is there simple way to force the use of non-compiled rules over compiled ones >when there is a mismatch?
How to force the use of NON compiled rules
Ssometimes (not always) when non-compiled rules do not match compiled ones, SA says: dbg: zoom: skipping rule __PHISH_TEXT_SOLUC18i, code differs in compiled ruleset Is there simple way to force the use of non-compiled rules over compiled ones when there is a mismatch? Thanks! -Pedro
Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave
i already opened a voting process here Marc... LET's VOTE... Would you like to have Apache Spamassassin change "WhiteList" and "BlackList" terms due to racism sensibilities? -Pedro On Tuesday, July 14, 2020, 09:51:29 AM GMT+2, Marc Roos wrote: > I never said it was being done for engineering reasons. The change is > being done to remove racially-charged language from Apache > SpamAssassin. As an open source project, we are part of a movement > built on a foundation of inclusion that has changed how computing is > done. The engineering concerns are outweighed by the social benefits > and your huffing is not going to stop it. > If you are referencing opensource and community. Why is this group not voting on this? Why is only a small group deciding what is being done? Such a vote, hardly can classify as open source, community nor democratic. Why is it you, who decides what is "racially-charged language", why don't you wait for some university researches being done, to see what "racially charged words" are, and what the implications are of using "racially charged words." Why not keep dual support, so people do not need to change their configs? If the argument is not to use these terms, than a fresh install would comply with this. You are part of the Apache software foundation what is even their stance on this subject? I can't imagine all projects are going to start modifying code, whatabout standards? The haste with making this decision only shows incompetence. The problem with people in IT nowadays is that they decide on things they should not decide on. It is like a dentist, starting to do brain surgery. As I said your team is not qualified to make a decision on this subject, because you lack information and education on this subject. Stick to what you have been doing nothing more, nothing less.
Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave
Maybe Apache just need some more figures... Is there any black lady/gentleman in this list who feels ofended for those terms? please rise you hand... LET's VOTE... Would you like to have Apache Spamassassin change "WhiteList" and "BlackList" terms due to racism sensibilities? | | | | | | | | | | | Would you like to have Apache Spamassassin change "WhiteList" and "Black... Encuesta online sobre Would you like to have Apache Spamassassin change "WhiteList" and "BlackList" terms due to... | | |
Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave
>On Friday, July 10, 2020, 10:10:20 AM GMT+2, Axb wrote: >so glad to read this... confirms my picture of you. >now back my pet project: rewrite Tom Sawyer OK... who starts??? :-) once Finished we can rewrite "El Quixote" as well... --Pedro
Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave
>On Friday, July 10, 2020, 12:26:59 PM GMT+2, Marc Roos wrote: >Hey Pedro, I don't know for sure, I do not want to create a new problem, >but this yahoo, was this word not used during the railroad building to >encourage and push slaves to work harder? Would you mind using different >email address? Agree Marc... indeed i will change my name becasue "Pedro" was the guy who negated Jesuschrist three times... :-( -Pedro.
Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave
Blacklist means "protection", so it is something positive... Whielist is for something wrong you cannot solve... so where is the problem? this is like the change from SystemV to SystemD plesae stop creating new problems! -Pedro
Re: Multiple regex on same URL
>On Wednesday, July 8, 2020, 12:28:37 AM GMT+2, Martin Gregorie wrote: >>I didn't spot the requirement that the URIs must match: I read your >requirement as being that two matches from a group of URLs within a >defined set or with the same second level domain would do. My mistake. Probably my fault, Martin.. my "English" leaves much to be desired... >Might it be easier to define and implement with a decent RDBMS and a >clever SQL query? The simplest way has been to patch uri_detail plugin so it can combine multiple equal keys with OR or AND on demand... :-) Pedro
Re: Multiple regex on same URL
>On Tuesday, July 7, 2020, 11:56:22 PM GMT+2, Martin Gregorie wrote: > That should be easy enough to do with a metarule: >uri __SUBRULE1 /(URL alternateslist1)/ >uri __SUBRULE1 /(URL alternateslist2)/ >meta MYMETARULE (__SUBRULE1 && __SUBRULE2) >score MYMETARULE 6.0 .>..or something like that >Martin Thanks Martin, but the meta may be possitive if one URL triggers SUBRULE1 and another different URL triggers SUBRULE2... how can you be sure both SUBRULES are possitive in the "same" URL? -Pedro
Re: Multiple regex on same URL
>On Tuesday, July 7, 2020, 03:16:34 PM GMT+2, Henrik K wrote: >Also newer SpamAssassin already has URIDetail plugin which can also do what >you want: > uri_detail SYMBOLIC_TEST_NAME key1 =~ /value1/ key2 !~ /value2/ ... if it uses the same key more than once, then uri_detail joins them with "OR", but we need an "AND" -Pedro
Re: Multiple regex on same URL
>On Tuesday, July 7, 2020, 01:05:36 PM GMT+2, Henrik K wrote: >What examply do you mean by checking multiple regex on the "same" URL? Give >an example. Most likely it's already possible without any changes. for example.. checking if an URL matches Regex1 BUT does NOT matches Regex2 can be done with looksahead/behind but is cpu-expensive and may be too complex to maintain... Pedro
Re: Freshdesk (again)
>On Tuesday, July 7, 2020, 11:24:10 AM GMT+2, Raymond Dijkxhoorn wrote: >Hello Marc, >I hear you. And dont worry about that ;) rather have a clean inbox and so do >more people. >We report abuse to many organisations, including, but not limited to company's >like sendgrid. >Raymond Dijkxhoorn - SURBL We are so tired af reporting abuse with no answer at all, that we stopped reporting problems time ago :-(as Marc Roos has said... we are not paid for it ! Ironically... we han run into problems a couple of times for reporting abuses... probable someone considering you are "suggesting" they are not doing their job... If Sendgrid reacts to the reports, bravo for them! Pedro
Multiple regex on same URL
I have written a small simple patch (tested in SA 3.4.2 so far, sorry) to be able to check up to three regex expressions on the "same" URL. It seems to work wellbut... any crazy (with all respects) volunteer for checks.. tests... etc? Disclaimer: I am not a super Perl developer, so the code may be ugly for perl monks :-( sorry.. Regards, ---Pedro.
Re: google as biggest botnet, no kidding
>On Wednesday, May 13, 2020, 10:27:15 AM GMT+2, Matus UHLAR - fantomas wrote: >maybe there are some pieces of anti-malware SW that check websites .>..and maybe they need to be payed for So they know those website are dangerous and even so they allow them??? >maybe you should use the common format for signatures... line "-- " at the >begin and signature below. ACK! Thanks. --Pedro.
Re: HTTP checks on sending IP
Thanks a lot Dominic -Pedro On Wednesday, May 13, 2020, 07:58:56 AM GMT+2, Dominic Raferd wrote: On Wed, 13 May 2020 at 06:27, Pedro David Marco wrote: > > Not a long time ago, there was an very interesting thread post about the idea > of reverse > check of the website content of sending IP... > > To my remember even a "spamassassiner" wrote a plugin for that. > > Honouring my terrible (lack of) brain, i cannot find those posts. Please can > anyone help me to find them or point me to the plugin? I believe the thread you are referring to is from Feb-Mar 2019 here: http://spamassassin.1065346.n5.nabble.com/Spam-rule-for-HTTP-HTTPS-request-to-sender-s-root-domain-td154612.html I was using the OP's suggested rule (which calls his server), but on checking I see that it has not triggered since 1 October 2019, so I have now turned it off; presumably he turned off his server facility a long time ago. He provided the code to set up your own at https://github.com/mikernet/HttpCheckDnsServer, but I have not tried this.
HTTP checks on sending IP
Not a long time ago, there was an very interesting thread post about the idea of reverse check of the website content of sending IP... To my remember even a "spamassassiner" wrote a plugin for that. Honouring my terrible (lack of) brain, i cannot find those posts. Please can anyone help me to find them or point me to the plugin? Thanks in advance... Pedro.
Re: google as biggest botnet, no kidding
>On Tuesday, May 12, 2020, 02:16:52 PM GMT+2, micah anderson wrote: >We receive a *huge* amount of phishing attempts from firebasestorage. My >regular routine is to wake up, and report these to google safebrowsing, >but it doesn't seem to have much of an effect. >There *are* occasional, like 1%, false positives... but something needs >to happen here. It is very "suspicious" that one nanosecond exactly after the phishing site appears in google, the URL appearsin Safebrowsing.. it is absolutelly inpossible for a human being to react that fast! Of course, only in the "paid" version os Safebrowsing... not in the free one... of course... -Pedro.
Re: Spoofed From: names
To my remember, (as Grant, i need my caffeine truck as well) there are some MS Outlook CVEs related to the wayMS Outlook shows the "From:" information, to the extent of showing just some "piece" of it... So this kinf of "From:" may have significant impact on unpatched computers... ---Pedreter. On Saturday, April 11, 2020, 05:50:05 PM GMT+2, RW wrote: >On Thu, 9 Apr 2020 16:17:51 -0400 >Kevin A. McGrail wrote: >> On 4/9/2020 10:16 AM, micah anderson wrote: > > What is the current state of the art for dealing with tricking > > people in the From with the "Name" part? For example: > Hi Micah, I believe the FromNameSpoof plugin is the current state of > the art. > > >I see that the plugin rules don't distinguish between the irresponsible >format of: > > From: "Mr Bill (mb...@legitemail.com)" >and more seriously deceptive formats like:> From: ">mb...@legitemail.com" > > From: "Mr Bill " >
Rules order to save processing time
I have a very heavy regex rules set that only make sense if a very simple regex triggers... i think it would be a good idea to have some kind of TFLAG, for example: tflags depends_on to indicate that a rule must run ONLY if a prevoious one was positive what do you think?? Pedro.
Re: Bayes files LOCK
On Friday, February 14, 2020, 7:46:18 PM GMT+1, John Hardin wrote: >> I was looking at it in a bit more detail and it looks like there isn't >> a reader-writer lock, just write locks for the toks and seen >> files. As scans defer their writes through the journal they are >> lockless. >So, auto-training may be problematic w/r/t locking as well. I presume that >window is coded to be as small as possible. Sure RW and John... but in theory the use of a DB should avoid that need, that makes sense when using just files... Pedro.
Re: Bayes files LOCK
>On Friday, February 14, 2020, 1:17:29 PM GMT+1, RW > wrote: >That would defeat the object of having a journal file.>>Even if you are right, >it doesn't really explain anything because it>applies to everyone using >BDB/DBM/SDBM. >>IIWY I'd be looking at what's different for you. I basically agree whit you RW... but my hopes are that using any other DB than files may allow concurrent write to the DB...
Re: Bayes files LOCK
>On 13.02.20 12:30, RW wrote: >>Bayes doesn't write on scans (unless it does an opportunistic sync or >expiry): > >doesn't it record token access times to journal? i think SA always does an EXclusive lock despite the parameters, probably because of that, Fantomas I will try with SDBM... Thanks... Pedro.
Re: Bayes files LOCK
Fully aligned with my suspicions... I love Redis... i think someone posted sometime ago a performance table showing local / sql / redis ... i will look for it... but it would not surprise me if remote Redis is even faster than local DB... Thanks! Ďakujem mnohokrát Fantomas! Pedro. On Wednesday, February 12, 2020, 7:32:42 PM GMT+1, Matus UHLAR - fantomas wrote: On 12.02.20 18:03, Pedro David Marco wrote: >i am getting errors from Byes because it is not able to lock Bayes files... >Error log is: > bayes: cannot open bayes databases /etc/spamassassin/bayes/bayes_* R/W: lock >failed: Interrupted system call > > SA tries to lock bayes files always in "EXclusive mode", hence when a sa >takes too long, all other processes have to wait for the lock... > >This is my config: >use_bayes 1bayes_path /etc/spamassassin/bayes/bayesbayes_auto_learn >0bayes_auto_expire 0lock_method flock this is your problem. bayes is designed for one user. not for all of them. If you want, you can move bayes database to SQL or to redis, but I don't recommend that for multiuser machine. For a single-user, bayes database can be simply in your $HOME/.spamassassin/ >SA uses EXclusive lock because it has "to write"... my question is... > Is there any way to avoid SA writing Bayes files? in that case a > non-exclusive lock would be enough... no. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Bayes files LOCK
Hi.. i am getting errors from Byes because it is not able to lock Bayes files... Error log is: bayes: cannot open bayes databases /etc/spamassassin/bayes/bayes_* R/W: lock failed: Interrupted system call SA tries to lock bayes files always in "EXclusive mode", hence when a sa takes too long, all other processes have to wait for the lock... This is my config: use_bayes 1bayes_path /etc/spamassassin/bayes/bayesbayes_auto_learn 0bayes_auto_expire 0lock_method flock SA uses EXclusive lock because it has "to write"... my question is... Is there any way to avoid SA writing Bayes files? in that case a non-exclusive lock would be enough... Thanks! Pedro.
Re: Two types of new spam
Hi Philipe... try this: full __L_RECEIVED_SPF /^Received-SPF: \w/mtflags __L_RECEIVED_SPF multiple maxhits=11 meta L_RECEIVED_SPF (__L_RECEIVED_SPF >= 10)describe L_RECEIVED_SPF Crazy numbers of Received-SFP headersscore L_RECEIVED_SPF 4 -Pedro. On Friday, January 3, 2020, 12:08:21 AM GMT+1, Philip Prindeville wrote: I’m getting the following Spam. http://www.redfish-solutions.com/misc/bluechew.eml And this is notable for having: GUID1 GUID2 GUID3 GUID4 … so it should be easy enough to detect. A GUID looks like: [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{3}-[0-9a-f]{3}-[0-9a-f]{12} The 2nd type of Spam I’m seeing looks like: http://www.redfish-solutions.com/misc/received-spf.eml which contains: Received: from mta.amapspa.it ([127.0.0.1]) by localhost (mta.amapspa.it [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id U5M-E2lVwWem; Sat, 2 Nov 2019 00:19:36 +0100 (CET) Received-SPF: none (amapspa.it: No applicable sender policy available) receiver=mta.amapspa.it; identity=mailfrom; envelope-from="dario.scarpu...@amapspa.it"; helo="[91.134.159.128]"; client-ip=91.134.159.128 Received-SPF: none (amapspa.it: No applicable sender policy available) receiver=mta.amapspa.it; identity=mailfrom; envelope-from="dario.scarpu...@amapspa.it"; helo="[91.134.159.128]"; client-ip=91.134.159.128 Received-SPF: none (amapspa.it: No applicable sender policy available) receiver=mta.amapspa.it; identity=mailfrom; envelope-from="dario.scarpu...@amapspa.it"; helo="[91.134.159.128]"; client-ip=91.134.159.128 … with that line being repeated some 40 times, each line being identical. I tried a rule like: header __L_RECEIVED_SPF exists:Received-SPF tflags __L_RECEIVED_SPF multiple maxhits=20 meta L_RECEIVED_SPF (__L_RECEIVED_SPF >= 10) describe L_RECEIVED_SPF Crazy numbers of Received-SFP headers score L_RECEIVED_SPF 20.0 but it never seems to match. I’ve not tried to debug this, but it seems that duplicated headers might not be saved as a list into the headers? (Is there an easy way to see what exists:Received-SPF is evaluating as?) If that’s the case, it would seem to be a shortcoming. Can anyone confirm that’s indeed what’s happening? Thanks, -Philip
Re: SpamAssassin 18th anniversary article
Thanks Dave, nice read and congratulations to all the SA Team thanks for such a wonderfull piece of "sky" thanks for your time...thanks for your patience..thanks for listening...thanks for your support.. ¡Gracias! Grazie! Danke! Merci! Obrigado!... (Dave... a birthday is not a birthday without a party, right? ;-P) --Pedro. >On Thursday, October 24, 2019, 5:29:43 PM GMT+2, Dave Wreski > wrote: > >Hi all, >>LinuxSecurity just posted an article on the history of SpamAssassin and i>ts recent 18th anniversary, some of the new features coming in v4, and >speaks with some of the lead developers. >>https://linuxsecurity.com/features/features/an-open-source-success-story-apache-spamassassin-celebrates-18-years-of-effectively-combating-spam-email >>We'd love to know what you think. >>Thanks, >Dave
Solved: Subject not always included as first line of body
SOLVED: I think it may be a Perl 5.24.1 bug... SA $msg cache gets empty randomly! i have written a small patch, if someone suffers the same problem, contact me.. not the best patch possible, but it works with minimum impact. - Pedreter. On Friday, October 4, 2019, 6:49:41 PM GMT+2, Pedro David Marco wrote: Hi! In SA 3.4.2 I have noticed a slight score difference between consecutive SA executions. Digging out, i have discovered that in plugin methods that use $body from the third argument, like in this example: sub pdf_is_empty_body { my ($self, $pms, $body, $min) = @_; the subject is not always included as first line of body (as expected), but only in 50% of calls (aprox.) In SA 3.4.1 it works ok. any idea of why? (I have asked as well to dev list) Thanks.-Pedreter
Subject not always included as first line of body
Hi! In SA 3.4.2 I have noticed a slight score difference between consecutive SA executions. Digging out, i have discovered that in plugin methods that use $body from the third argument, like in this example: sub pdf_is_empty_body { my ($self, $pms, $body, $min) = @_; the subject is not always included as first line of body (as expected), but only in 50% of calls (aprox.) In SA 3.4.1 it works ok. any idea of why? (I have asked as well to dev list) Thanks.-Pedreter
Re: announcement about invaluement (or more like a tease?)
Best wishes Rob... On Monday, August 26, 2019, 3:24:18 AM GMT+2, Rob McEwen wrote: announcement about invaluement (or more like a tease?) https://www.linkedin.com/feed/update/urn:li:activity:6571558988201148416/ -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
plugin that runs only if specific rule has triggered before...
Hi all... i want to write a plugin that only triggers if a specific rule has triggered before. can anyone, please, point to me to any already existing perl code than can help me or i can reuse? Thanks! P.
Re: Quick header check question and anchors
Thanks a lot, John, Bill, RW... i now see it water clear... On Thursday, May 16, 2019, 10:59:19 PM GMT+2, RW wrote: On Thu, 16 May 2019 13:31:27 + (UTC) Pedro David Marco wrote: > Hi! > I have a Recived like this: > > Received: from pafkiet.edu.pk (email.pafkiet.edu.pk [203.170.75.90]) > by > > > I want a rule to match the beginning of a Received: > A rule like this works ok: > > header MY_RULE Received =~ /.*from pafkiet.edu.pk/ > > and in debug mode it shows: > MY_RULE ==> got hit: "from pafkiet.edu.pk" > > BUT if i add the ^ anchor to the rule then it does not work... > header MY_RULE Received =~ /^from pafkiet.edu.pk/ > > Why??? Because you missed out the /m modifier. Without it your rule can only match the top received header. So header MY_RULE Received =~ /^from pafkiet.edu.pk/m
Quick header check question and anchors
Hi! I have a Recived like this: Received: from pafkiet.edu.pk (email.pafkiet.edu.pk [203.170.75.90]) by I want a rule to match the beginning of a Received: A rule like this works ok: header MY_RULE Received =~ /.*from pafkiet.edu.pk/ and in debug mode it shows: MY_RULE ==> got hit: "from pafkiet.edu.pk" BUT if i add the ^ anchor to the rule then it does not work... header MY_RULE Received =~ /^from pafkiet.edu.pk/ Why??? It seems there is nothing between start of line and "from"... PedroD
Re: Rule for non-DKIM-signed messages
Hi Kurt, On the contrary, most spam i see is valid DKIM signed... tons of hacked sites... tons of emails from free trials of big-cheeses... Nevertheless... meta NO_DKIM_SIGNED ! DKIM_SIGNEDscore NO_DKIM_SIGNED 2describe NO_DKIM_SIGNED Email does not have DKIM signature Pedro. > >On Friday, May 10, 2019, 4:26:46 AM GMT+2, Kurt Fitzner wrote: > >I've noticed on my mail server that DKIM signing is almost diagnostic of >spam. Almost no legitimate sender is without DKIM, and about 90% of my >spam is unsigned, so I want to bias non-DKIM-signed heavily towards >spam. To that end I was wondering if there are any built-in rules I can >activate to score emails that are not DKIM-signed? I'd rather use a >built-in rule than roll my own.
Re: Freshclam Safebrowsing enabled for SA
Sorry, my mistake.. excuse me! i meant: The difference between both versions is just "time": latest URLs updates take up from hours to some daysto go from the the "good" DB to the public DB Pedro.
Re: Freshclam Safebrowsing enabled for SA
I have played long with this and IMMO do not put your expectations too high... Google has two versions of the SafeBrowsing DB. The public one: the one youcan download with the Google API and used by Clam as stated by Kevin, and a secondone, used by Chrome and some security vendors (i guess by paying). The difference between both versions is just "time": latest URLs updates take up from hours to some daysto go from the public DB to the "good" one. Not happy enough with that, Rob McEwen fears come true... Checks are done by removingthe least significant part of each URLs one by one... so a complet phishing URL willmatch as well as its domain does! There is a perl module (thanks to Julien Sobrier) you can use for a SA plugin...https://metacpan.org/pod/Net::Google::SafeBrowsing4 I have tested it and works ok but is pretty slow since a simple URL generates many querys(becasue it works as Google suggests: removing the least signifcat part and trying again, and again, and...) Ken, Kevin, maybe it would be a good idea to have a SA plugin to use it if we modify the code to check "only"the full URL... Regards, Pedro.
Re: White text + white background
>On Thursday, March 21, 2019, 1:16:31 PM GMT+1, Martin Gregorie wrote: >When I've seen white text used, its been set via a tag, i.e, > .. text .. >or > .. text .. > >Its easy enough to match either in a body rule. Thanks Martin, the problem is that i want to detect white text ONLY when the background of that text is white as well, because then the text is invisible... -PedroD
White text + white background
Hi... Any idea about how to detect white text over white background in HTML? Thanks. -PedroD
Scoring HTTPS to HTTP
Hi everybody... may i ask your opinion about how strong you score links that use HTTPS in the anchor but really go to HTTP ... I would love to score them heavily but I am finding them very oftenly in newsletters and notifications from big manufacturers (among HTML errros, MIME errors, etc. in a great paradox because they "sell" email security and according to Gartner they are the "Masters of the Universe"). ---PedroD
Semioff-topic: DoS mitigation technique mentioned in SA-list
Hi all, Not a long time ago someone in the list mentioned an interesting antiDos mitigation technique consisting in "playing" with attackers TCP windows sizes... (as far as i remember)... but i cannot find the post with the name of the tehcnique :-( Please, if someone remembers the name of the technique, tell me off-list.. Thanks a lot in advance... ---PedroD.
Re: Semi Off-topic: VFEMail destroyed
how backups and off-site backups can help if the hacker is an insider? an angry-sysadmin-employee for example? :-( with full-knowledge of the backup system. PedroD
Re: Semi Off-topic: VFEMail destroyed
>On Thursday, February 14, 2019, 5:37:57 PM GMT+1, Kevin A. McGrail wrote: >I agree... in any case, facts like this are sad... :-( >I blame the hackers so I haven't posted about this when all the articles came >out because you don't blame the victim. Now that a little time has passed, I >hope this is a learning experience. >People should use this as the impetus to review their Disaster Recovery Plans. > Offsite and cold backups should be a requirement of any good disaster >recovery plan. One of the reason I pay a premium for datacenter >space >through ShipShapeIT.com compared to AWS cloud or Cogent ping-pipe-power is for >managed services which include monthly offsite backups. Well worth the peace >of mind and something to consider if you are out >in the cloud. I fully agree Kevin but a Disaster Recovery plan is not the same as a "Sabotage Recovery Plan" the later is much much harder to implement than the former... :-( and will always have "holes" PedroD
Re: Semi Off-topic: VFEMail destroyed
>https://thehackernews.com/2019/02/vfemail-cyber-attack.html >Looks like a compromised IP from legit provider. >94.155.49.9 >daticum.com >cooolbox.bg I agree... in any case, facts like this are sad... :-(
Semi Off-topic: VFEMail destroyed
FYI https://thehackernews.com/2019/02/vfemail-cyber-attack.html?utm_source=feedburner_medium=feed_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&_m=3n.009a.1926.ca0ao0c4uu.16rq -PedroD
Re: Huge spam increase
Sure, i agree Reindl, thanks.. i just was asking whether this sudden increase has been seen as well in other places... too sudden!! PedroD On Tuesday, January 22, 2019, 6:18:01 PM GMT+1, Reindl Harald wrote: Am 22.01.19 um 18:12 schrieb Pedro David Marco: > Out of curiosity... > > we are noticing a huge spam increase (x10) from the last 2 days... maybe > any reactivated botnet??? > > is someone noticing it as well? surely but nothing makes it through a proper MTA with postscreen and RBL weights and so not a SA topic on a proper setup a content filter is only the last ressort
Huge spam increase
Out of curiosity... we are noticing a huge spam increase (x10) from the last 2 days... maybe any reactivated botnet??? is someone noticing it as well? -PedroD
Re: UTF8 character in [] doesn't match
On Monday, December 24, 2018, 9:49:11 AM GMT+1, Henrik K wrote: >... so for general file portability this would be even better: > >(?:[a\xe1]|\xc3\xa1) I fully agree with Henrik, but would add a small detail... in some cases i have found problems using BODY to locate special chars (most likley, to my understanding, due to how HTML parser manages words).Using RAWBODY as long as possible shows better results to me... >Merry Christmas all. ;-) Thanks Henrik... the same for you and everybody... PedroD
Re: New bitcoin ransom message today
BUF... this is getting beyond a joke There are people paying to many of the BTC wallets of the scammers, hence acommodating its veracity... :-( -PedroD
SCAM Bitcoins
FYI Our "friends" of the SCAM_PORNO_BTC campaign are sending scams with wrong wallets ID, hence the __BITCOIN_ID rule does not trigger... Be aware of this if you have METAs depending on that rule. PedroD
Re: Understanding header ALL
$BillCole++ ; # :-) Thanks Bill.. that was my concern and what i was suspecting... --Pedro.D On Saturday, December 8, 2018, 3:59:12 AM GMT+1, Bill Cole wrote: On 6 Dec 2018, at 15:25, Pedro David Marco wrote: > Thanks Bill and John... > Your words make sense to me. It seems that ALL means that SA puts all > headers into a Perl string (including \n chars) and tries the regex... > As John Hardin correctly states, a dot does not match the \n but > this is changed with the "s" regex flag. > In fact it works like a charm if i try a rule like this: > header TESTRULE2 ALL =~ > /From=.*pedro.* To=.*pedro.*/ism > This is a mistery... :-? No mystery: misunderstanding. I thought you were expecting multiple hits, but now I realize that you are just asking about the debug message. This is entirely a debug message artifact. In fact, '/.+/' will match the entire header block, however the 'dbg()' function won't print all of that, apparently due to an expansion artifact in Mail::SpamAssassin::Logger -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: Understanding header ALL
Thanks Benny, if your rule worked, it would only match FROM or TO... the great advantage of the ALL is that i "sees" all headers in one string so we can match FROM 'and' TO at the same time --PedroD On Thursday, December 6, 2018, 10:23:17 PM GMT+1, Benny Pedersen wrote: Pedro David Marco skrev den 2018-12-06 21:25: > header TESTRULE2 ALL =~ /From=.*pedro.* > To=.*pedro.*/ism > This is a mistery... :-? header TESTRULE (From|To) =~ /\.*pedro\.*/ism dont know if it works, just my silly thinking right now
Re: Understanding header ALL
Thanks Bill and John... Your words make sense to me. It seems that ALL means that SA puts all headers into a Perl string (including \n chars) and tries the regex... As John Hardin correctly states, a dot does not match the \n but this is changed with the "s" regex flag. In fact it works like a charm if i try a rule like this: header TESTRULE2 ALL =~ /From=.*pedro.* To=.*pedro.*/ism This is a mistery... :-? Thanks to all... ---PedroD On Thursday, December 6, 2018, 8:32:46 PM GMT+1, Bill Cole wrote: On 6 Dec 2018, at 13:36, Pedro David Marco wrote: > Thanks a lot Bill.. > i already considered the "multiple" flag and it did not work > either... i mean... the rule works but i only see the first line > in Debug mode... > Pedrod Having pondered this for a bit and looked at unhelpful docs, I *think* I understand what's going on. You cannot get multiple hits from an ALL rule because the regex is matched against the whole block of headers. Once it matches, the test is done. It might make sense to add an "ANY" pseudo-header that tests against each header, rather than "ALL" which tests against the whole text of all the headers. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: Understanding header ALL
Thanks a lot Bill.. i already considered the "multiple" flag and it did not work either... i mean... the rule works but i only see the first line in Debug mode... Pedrod On Thursday, December 6, 2018, 7:21:46 PM GMT+1, Bill Cole wrote: On 6 Dec 2018, at 12:52, Pedro David Marco wrote: > Hi, > i need some wisdom from SA monks please... > Can anyone explain briefly how header ALL work? > if i try a rule like this: > header TESTRULE1 ALL =~ /.+/ism > Using -D debug mode i only "see" the first header of the email... > shouldn't i see all headers? > > it works nice if i check for something slightly more complex, such > as > header TESTRULE2 ALL =~ > /From=.*pedro.* To=.*pedro.*/ism > but i am trying to understand how it works... and why i only see one > line in Debug mode... > Thx, > PedroD For a rule to match more than once per message, it needs to have the 'multiple' tflag set, e.g.: tflags TESTRULE1 multiple maxhits=50 (It's generally wise to set *some* 'maxhits' value on a 'multiple' rule, since it can save you from runaway scanning of pathological messages.) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole